Sunday, June 12, 2011

You Know, Backing Up Texts In The iCloud Still Is A Horrible Idea

Go through your Inbox on your mobile phone. The one where all your texts are stored. Yes, go ahead, seriously, look at what is stored there. Now picture someone going through it, seeing your work texts, your mishandled manhandled and deftly handled friendships, relationships, work and personal. Imagine them being read by a journalist, a spook in an agency. Oh, you think, they wouldn't care? Fine, imagine your colleague reading them all, gripped by curiosity, or your spouse who typed in the password because surely there wouldn't be anything there but a hint of what you wanted for your birthday, your eldest child bored at home, your manager doing a little background check of course, your professional enemy, your lover, or your lover who didn't know about the lover and the wife.

And every file you made. Every picture you ever too with your phone, even those bored-on-the-couch-alone ones, if you didn't immedaitely delete them. Our personal devices are, well, enormously personal, we play with them idly, we experiment, we compose and send absentmindedly or in the heat in the moment, we keep and discard -- except we do not discard that well. Seriously, go through your phone, your camera, your inbox. See what is in there.

Over here in Britain, a tabloid called News of The World either spoofed Caller ID or tried easy passwords or the default system password to get to the voice mail of celebrities and politcal figures. The exact extent of the scandal is not known; NotW has never really come clean and the official investigation for some reason or another never seems to really get to the bottom of anything, but it seems to be reaching so far that if your voice mails were not accessed you have cause to fire your publicist for not getting you on the D-list.

But that's celebrities. That's not you. Or is it? If it was so extraordinarily easy, it shouldn't be so hard to get to your voice mails too, Caller ID is actually not that hard to spoof and you probably never actually set a password. But voice mails are actually not that interesting, after all, those are things other people leave on your phone, not things you make. How could anyone get to all your data?

Well, if you have an iPhone, Apple will store it for you. Check this page where it describes its new product, iCloud. It will back up your apps, your books, your documents, and oh yeah, pretty much your camera roll and Inbox on your iPhone, so it can be restored in case of accident. Apple has not disclosed anything about what level of encryption will be used on their servers, whether you can opt out of having certain forms of data backed up or whether it is all or nothing, how long this data will be stored, and under what jurisdiction your personal data on your phone and iPad and laptop will be located, and what it would take for law enforcement from which country to be given access to it. And remember, US companies have different track records about standing up to searches: Google strenuously defends its data until it gets a legal request that has the full strength of the law, and the telecom operators basically allowed the NSA to wiretap their networks with full co-operation even though that was blatantly against the law until Congress retro-actively gave them immunity once it all got found out. What side will Apple fall on? I do not know but if I was the NSA I would love to have a back door into that repository of everyone's personal information, especially if Apple's US servers is where all iPhone data from everywhere resides..

No, seriously, look around you. Think of all your friends with iPhones. How many do you know? What kind of jobs do they have, what kinds of friends and apps, what do they text about? Their data is going to be offloaded to the cloud. Google is already doing that with Android, although I am unsure whether the Inbox currently is being stored too, but if it isn't, it will, and all other smartphone ecosystems will feel compelled to follow suit and start storing everything, each with their own terms and conditions and locations and security practices. I have written about this before when Skydeck came along, but this issue of your most private conversations stored forever in the cloud just got a lot bigger.

Who knew Sony didn't know how to store passwords? They have had breach after breach after breach of their networked systems, and it turns out on many, if not all of them, they were storing user passwords, and other data like addresses and credit card numbers, unencrypted, ready to be copied and distributed and examined by everyone. I am sure if three months ago you had asked how they stored their data they would have answered it was stored so securely they couldn't tell you how. Turns out it was basically stored as clear as possible. Same with the Gawker network. In fact, those two breaches allowed for a little cross-site analysis, and it turns out that two thirds of the people who had an account on both systems re-used their passwords. Which means they probably re-used it on many, many more every systems, if not every. Someone should try to use those shared login and password credentials to see if they also give access to Apple accounts.

Because that is how the data from your iPhone, or Android phone, or other smartphones soon, ends up accessed once it is 'safely' being stored on the Internet. No matter how it is stored and encrypted on those servers in the data centers, all it will take is the account ID, which is usually an email address, and the password. And because we all have so many places to log in, we re-use passwords, so often the system is basically broken. We write passwords down on notes our colleagues can see when the walk by, we share them over the phone when we need help from a friend to check something, we type them into websites for a prize that could be being run by god knows who, or as shown, hacked by other people. Apple could have perfect secrecy, but you re-use your Apple password on one other site that gets hacked and suddenly everyone can get to the data from your phone stored on the server.

The Apple ID used to just allow access to someone's purchase history, a stored credit card to buy a song or two with, transaction easily reversed if done maliciously. Information breeches cannot be reversed, and the moment iCloud starts backing up that phone, that Apple ID is access to your personal life. Very personal life. Credit cards can be cancelled, transactions reversed, but your boss wanting to fire you entering your password you use for the department web-server into Apple's webservers to see your texts, hackers running the haul from one database breach through iCloud's servers to distribute all the stored photos on Usenet, no, that cannot be cancelled, not be undone. And there are some mean people out there who love to expose private lives for the lulz.

The Danger Hiptop phones in the US also stored everything in the cloud before it was called that, and some celebrities had their hacked. Not such a big deal, unless you were that humiliated celebrity or actually hadn't asked your publicist to make that happen for a little more publicity, but we already know this is how stuff happens. Now this is being switched on by a company that owns the phone for a lot of interesting people. A single breach of your data by someone who finds your password is bad for you, but a huge breach a la Sony would be disastrous for Apple, and finding out in a few years Apple gave access to all their data to a security agency would be at the same time almost unimaginable and actually, well, have a precedent in the telecoms world. So all I can say is what Genius Mike already said about this

Quote me on this: Apple has cut themselves a length of rope sufficient to kill a trillion-$ company. A total iCloud compromise ends them.less than a minute ago via Twitter for Mac Favorite Retweet Reply